Researchers hack into Gmail with 92 percent accuracy
Posted on Aug 22 2014 | IANS
Washington, Aug 22 : A team of US engineers has developed a method that allows them to successfully hack into apps including Gmail up to 92 percent of the time.
They have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users.
Researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested.
Among the apps they easily hacked were Gmail, CHASE Bank and H and R Block.
Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.
Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system.
"The assumption has always been that apps cannot interfere with each other easily. We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user," explained Zhiyun Qian, an assistant professor at University of California's Riverside Bourns College of Engineering.
The attack works by getting a user to download a seemingly benign, but actually malicious app, such as one for background wallpaper on a phone.
Once that app is installed, researchers were able to exploit a newly discovered public side channel - the shared memory statistics of a process, which can be accessed without any privileges.
Shared memory is a common operating system feature to efficiently allow processes share data.
Augmented with a few other side channels, the team showed that it was possible to fairly accurately track in real time which activity a victim app is in.
"This method will work on other operating systems because they share a key feature researchers exploited in the Android system," Qian noted.
The paper was scheduled to be presented at the 23rd USENIX Security Symposium in San Diego Friday.